Data Breaches Put Patients At Risk For Identity Theft

March 9, 2012

DATA BREACHES PUT PATIENTS AT RISK FOR IDENTITY THEFT

By: Robin Erb

DETROIT – Walk into a doctor’s office and chances are that some of your most private information — from your Social Security number to the details of your last cervical exam and your family’s cancer history — is stored electronically.

Your doctor might access the information on a cell phone that could slip into the wrong hands. The staff might take it home on a laptop or a flash drive.

They have to. According to a recent report by the Ponemon Institute, a Traverse City, Mich.-based firm that conducts research about privacy and security:

Data breaches nationally grew 32% last year, mostly because of employee negligence and lack of oversight.

Nearly all of the 72 organizations surveyed reported at least one incident of lost or stolen information in the previous year.

And although four out of five doctors use smartphones, more than half say they are not taking precautions to encrypt information.

The top three causes for a data breach were lost or stolen computing devices, unintentional release of information by contractors and unintentional employee action, according to the report.

More than half of the respondents reported they had little or no confidence that their organization would be able to detect all breaches.

“It’s almost a matter of time before anyone can be a victim. The key is catching it early,” said Dennis Doherty, an assistant prosecutor who handles fraud cases for Wayne County, Mich.

A Growing Problem

Michigan has had at least 11 breaches of medical data since 2009 involving information for more than 500 people — the threshold at which those incidents must be publicly reported. In all, the cases involved personal medical information for more than 118,000 people.

Throughout the U.S., more than 390 such breaches involving the records of more than 19 million people have been reported since September 2009, when the new federal Health Information Technology for Economic and Clinical Health (HITECH) Act boosted penalties for providers whose data are stolen, lost or otherwise breached, according to the U.S. Department of Health and Human Services’ Office of Civil Rights.

Thousands of smaller breaches occur annually.

“I think most consumers are still in the dark about this,” said Deven McGraw, director of the Health Privacy Project at the Washington-based Center for Democracy & Technology.

Not Jane Doe.

That’s the name used by a Detroit-area woman who filed a lawsuit last week after a transcription service for Henry Ford Health System inadvertently put her medical information on the Internet — her name, medical record number and diagnosis of “cervical dysplasia secondary to HPV (human papillomavirus),” according to the suit.

Though it’s the most common sexually transmitted infection, the woman told the Free Press she was “infuriated,” worrying that someone might see it and “think I’m the kind of girl that I’m not.”

Henry Ford, in a written statement Friday, said its contractor was responsible for the breach, and patients were notified immediately. The statement also apologized to affected patients.

Elizabeth Thomson, Jane Doe’s Bloomfield Hills, Mich.-based attorney, has filed the case as a class action. She said “people get worked up about their Social Security numbers, and understandably so.” But in a day of Internet searches and social media, “you can do a lot of damage with a little bit of information, even without a Social Security number.”

In at least three states, attorneys general have successfully filed actions in cases of large-scale breaches. In the first, then-Attorney General Richard Blumenthal in Connecticut settled for $250,000 a lawsuit against insurer HealthNet. The insurer was accused of losing a computer disk containing information for more than 1.5 million consumers. HealthNet also had to take measures to prevent further incidents under the 2010 settlement.

Vermont and Indiana also have fined or settled suits under the HITECH rules.

Crime Goes Unnoticed

It’s unclear just how often medical information is misused; a person who steals an ID to get prescription drugs might slip through for years unnoticed. A stolen laptop with patient data might be reported to local police but never linked to fraudulent billing in another jurisdiction.

And the theft of medical information is often sifted into the larger category of ID theft — patients’ information stolen to apply for credit cards or stolen credit cards used to get medical services.

One of the simplest fixes is investing in devices that can be encrypted so that only authorized personnel can get to data, said Pam Dixon, founder of the California-based World Privacy Forum who has testified before Congress on the lack of security around people’s most personal information.

Medical information, she said, is worth $50 on the street compared with $1 or $2 for a Social Security number. The banking industry has set up safeguards to detect ID theft and financial fraud so, for example, consumers get a call if there are unusual, out-of-country spending sprees. But there are few similar safeguards for medical ID theft, she said.

Perhaps worst of all, breaches of health information erode the public’s trust in their doctors.

“If people lose trust in the health care system, they will not get the care they need,” said Leon Rodriguez, head of the HHS’ Office of Civil Rights.

Rodriguez said his office has spent much of its time after the passage of the 2009 law pushing providers to shore up security.

“A lot of times you’ll hear the covered entities a little overexcited about the cost of complying with the (privacy) rules,” he said. But, he added, “when you look at where the breaches are or where the vulnerabilities are, they really are common sense.”

Leaked information is unacceptable, he said. Doctors “should expect us to move to a much more enforcement approach,” he said.